constraints process), and /usr/sbin/ntpd "x" to perform fork+exec operations.

harm if not deleted after the daemon is shutdown and at the same time we also
tackle another attack surface by not allowing the program to create/delete
any more files (by removing "cpath" promise from pledge(2)).
Discussion initiated by a question from deraadt@ OK florian@

currently doesn't call the function control_cleanup to do so. The solution is
to simply call that function just before the program quits.
"sure" henning@

as unsynced. reported by naddy, also seen by me (I noticed because
monitoring-plugins check_ntp complained). ok claudio henning

sensors, mark us unsynced again. ok reyk krw, pt out / discussion / help naddy

calloc or strdup), we just need to log that we ran out of memory in a
particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@

running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@

the text about enabling it;
ok deraadt

in "query from"; ok phessler@ job@

some cases.
OK naddy@ henning@

address for outgoing ntp queries.
From Job Snijders, thanks!
with feedback and ok henning@

warn with the same severity.  Switch log_warn() to LOG_ERR and keep
fatal() at LOG_CRIT.
OK reyk@ florian@

terminated by a null pointer.
ok rzalamena@ reyk@

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().
Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

TAILQ_FOREACH().
No intentional functional change.
ok reyk@

so it is safe calling log_* after an error without loosing the it.

using the heap.
ok bcook@

variables that were also never used
OK otto@

to send message to the child process. Do like we learned in httpd(8).
ok deraadt@

this should fix the problem with random ntpd(8) deaths.
ok deraadt@

additional actions before printing it.  OK rzalamena@

case the dup2() would fail silently and the descriptor would remain with
the CLOEXEC flag causing the exec*()d child process to have unexpected
behavior.
ok guenther@

with this change we get the pledge() ability back to the parent process.
some tweaks from and ok reyk@

it, remove some verbose shutdown messages that we had before with pipe
close.
ok reyk@

ok reyk@, bcook@

obvious why it is implemented this way.  The whole idea of constraints
is to isolate them as much as possible, in a semi-paranoid way.
OK rzalamena@

OK from the original author Alexander Guy

part of the original ISC license that we use in OpenBSD.  Done for
files were Henning is the original author.
OK henning@ deraadt@

ok deraadt@

changes - map the previous configuration to the equivalent in the new
groups. This will be revisited post release.
Discussed with beck@

became more visible recently because a log_debug was changed to
log_warnx.  Change it back for now.
ok jsing

ensure that we load the CA certificates and use tls_connect_servername()
so that we can verify the server we are connecting to (even though we've
already resolved the hostname). Also add additional warnings for TLS
connect and TLS write failures so that we know what is happening and why.
Lack of server name verification also reported by Luis M. Merino
<luismiguelmerino at gmail dot com> - thanks!
ok deraadt@ reyk@

ok deraadt@ reyk@

for ntpd(8), removing the pledge call is a first step: futher redesign will occurs later.
ok reyk@ benno@

removing its second parameter and the enum() that provided the
values for said parameter.
The function was only called with the second parameter set to one
value (BM_NONBLOCKING) from the enum(). So just do the right thing.
Similar to changes made in smtpd.
While here remove the pointless third parameter from the fcntl(F_GETFL)
call.
No functional change.
ok guenther@ bcook@ deraadt@

no other timezone than the fixed string "GMT".  Avoid using strptime %Z,
which is nonstandard and can give surprising results on other operating
systems.  ok deraadt@ giovanni@ bcook@

titles (including flags) to distinguish between daemons, this makes it
possible to manage multiple copies of a daemon using the normal infrastructure
by symlinking rc.d scripts to a new name. ok jung@ ajacoutot@, smtpd ok gilles@

process management of the contraint processes has been moved from ntp
to the parent, for better privsep and pledge, but the ntp process
still attempted to kill the constraints on timeout directly.  Fix this
regression by introducing a new imsg from ntp to the parent and the
related logic to kill a constraint at the right place.
Reported & tested by bcook@
Ok bcook@

ok reyk@

Instead, check the return value of fprintf() and fflush()
and call clearerr() before returning on error.  OK jca@

OK bcook@

OK bcook@ jung@

and actually not a "logging" function.  No functional change.

used by the constraint processes setup later (chroot, setuid...)
[late getpwnam discovered during a further audit]
ok millert